Bug 912982 (CVE-2013-1665)
Summary: | CVE-2013-1665 Python xml bindings: External entity expansion in Python XML libraries inflicts potential security flaws and DoS vulnerabilities | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | c.david86, mjc, ohudlick, paul, veillard |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-08-03 06:21:44 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 910221, 910222, 910232, 913054, 917199, 917200 | ||
Bug Blocks: | 916494, 916496, 916499, 916886, 1067315 |
Description
Kurt Seifried
2013-02-20 05:47:04 UTC
This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0596 https://rhn.redhat.com/errata/RHSA-2013-0596.html This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0670 https://rhn.redhat.com/errata/RHSA-2013-0670.html This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0658 https://rhn.redhat.com/errata/RHSA-2013-0658.html This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0657 https://rhn.redhat.com/errata/RHSA-2013-0657.html Python’s interfaces for processing XML are grouped in the xml module, which is a part of the python package. The XML modules are not secure against erroneous or maliciously constructed data, and such data should not be directly parsed via python's xml modules. This is clearly documented at: https://docs.python.org/2/library/xml.html https://docs.python.org/2/library/xml.html#xml-vulnerabilities Python upstream suggests the use of "defusedxml" packages, but they break backward compatibility. Statement: This issue affects the versions of python as shipped with Red Hat Enterprise Linux 5, 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. |